connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5 (#14831)

2022-10-04 13:15:01 -07:00 · 2022-10-04 13:15:01 -07:00 · 42423ffce2
parent d54966effc
commit 42423ffce2
5 changed files with 15 additions and 12 deletions
--- a/.changelog/14831.txt
+++ b/.changelog/14831.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+connect: Bump Envoy 1.20 to 1.20.7, 1.21 to 1.21.5 and 1.22 to 1.22.5
+```
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -24,9 +24,9 @@ references:
    VAULT_BINARY_VERSION: 1.9.4
    GO_VERSION: 1.18.1
  envoy-versions: &supported_envoy_versions
-    - &default_envoy_version "1.20.6"
-    - "1.21.4"
-    - "1.22.2"
+    - &default_envoy_version "1.20.7"
+    - "1.21.5"
+    - "1.22.5"
    - "1.23.1"
  nomad-versions: &supported_nomad_versions
    - &default_nomad_version "1.3.3"
--- a/agent/xds/envoy_versioning_test.go
+++ b/agent/xds/envoy_versioning_test.go
@ -135,9 +135,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 	}
 	*/
 	for _, v := range []string{
-		"1.20.0", "1.20.1", "1.20.2", "1.20.3", "1.20.4", "1.20.5", "1.20.6",
-		"1.21.0", "1.21.1", "1.21.2", "1.21.3", "1.21.4",
-		"1.22.0", "1.22.1", "1.22.2",
+		"1.20.0", "1.20.1", "1.20.2", "1.20.3", "1.20.4", "1.20.5", "1.20.6", "1.20.7",
+		"1.21.0", "1.21.1", "1.21.2", "1.21.3", "1.21.4", "1.21.5",
+		"1.22.0", "1.22.1", "1.22.2", "1.22.3", "1.22.4", "1.22.5",
 		"1.23.0", "1.23.1",
 	} {
 		cases[v] = testcase{expect: supportedProxyFeatures{}}
--- a/agent/xds/proxysupport/proxysupport.go
+++ b/agent/xds/proxysupport/proxysupport.go
@ -8,7 +8,7 @@ package proxysupport
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
 	"1.23.1",
-	"1.22.2",
-	"1.21.4",
-	"1.20.6",
+	"1.22.5",
+	"1.21.5",
+	"1.20.7",
 }
--- a/website/content/docs/connect/proxies/envoy.mdx
+++ b/website/content/docs/connect/proxies/envoy.mdx
@ -39,9 +39,9 @@ Consul supports **four major Envoy releases** at the beginning of each major Con

 | Consul Version      | Compatible Envoy Versions                                                          |
 | ------------------- | -----------------------------------------------------------------------------------|
-| 1.13.x              | 1.23.1, 1.22.2, 1.21.4, 1.20.6                                                     |
-| 1.12.x              | 1.22.2, 1.21.4, 1.20.6, 1.19.5                                                     |
-| 1.11.x              | 1.20.6, 1.19.5, 1.18.6, 1.17.4<sup>1</sup>                                         |
+| 1.13.x              | 1.23.1, 1.22.5, 1.21.5, 1.20.7                                                     |
+| 1.12.x              | 1.22.5, 1.21.5, 1.20.7, 1.19.5                                                     |
+| 1.11.x              | 1.20.7, 1.19.5, 1.18.6, 1.17.4<sup>1</sup>                                         |

 1. Envoy 1.20.1 and earlier are vulnerable to [CVE-2022-21654](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21654) and [CVE-2022-21655](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21655). Both CVEs were patched in Envoy versions 1.18.6, 1.19.3, and 1.20.2.
 Envoy 1.16.x and older releases are no longer supported (see [HCSEC-2022-07](https://discuss.hashicorp.com/t/hcsec-2022-07-consul-s-connect-service-mesh-affected-by-recent-envoy-security-releases/36332)). Consul 1.9.x clusters should be upgraded to 1.10.x and Envoy upgraded to the latest supported Envoy version for that release, 1.18.6.